Conformity Assessment for EU's Cyber Resilience Act

This service helps manufacturers, software developers, and importers of digital products navigate the mandatory requirements of the EU’s Cyber Resilience Act (CRA) through a structured, multi-phase approach.

索取報價

Testing under the EU Cyber Resilience Act (CRA) requires ongoing, risk-based validation spanning a product’s entire lifecycle, not just point-in-time checks. Manufacturers must maintain documented test plans, verification records per vulnerability, comprehensive Software Bill of Materials (SBOM), and penetration testing evidence.

The exact testing and conformity procedures depend on your product's risk class:

  • Default Category (e.g., memory chips, mobile apps, smart speakers, computer games): Self-assessment is allowed. You can use Module A for internal production control.
  • Important Products (e.g., operating systems, anti-virus, routers, firewalls): Third-party assessment by a Notified Body may be mandatory if harmonized standards are not fully applied.
  • Critical Products (e.g., smart cards, smart meter gateways): Mandatory Notified Body testing and certification are required.

For products classified as important or critical under CRA Annexes III and IV, third-party conformity assessment by a notified body is required. 

 

Our comprehensive CRA solutions include:

  1. Regulatory Gap Assessment: A comprehensive audit of your existing products (hardware, software, or data processing solutions) to identify gaps between your current security protocols and the essential requirements of the CRA.
  2. Product Classification Advisory: Expert consultation to determine whether your product falls under the "Important" (Class I/II) or "Critical" categories, ensuring you understand the specific conformity assessment procedures required.
  3. Independent Third-Party Conformity Assessment: Formal, impartial evaluation and testing for Class II and Critical products as mandated by EU regulations, providing the necessary certification to secure the CE marking.
  4. Security Framework Optimization: Guidance on implementing the three pillars of cyber resilience—risk management, incident response/recovery, and business continuity—to meet mandatory duty-of-care obligations.
  5. Lifecycle Security Management: Support in establishing processes for continuous security updates, vulnerability management, and mandatory incident reporting workflows required for post-market compliance.

 

Contact our experts to obtain your quotation now! 

Q1: Does the Cyber Resilience Act (CRA) apply to my company?

If you place new or updated products with digital elements on the European Union market, the CRA likely applies to you. This includes manufacturers, software developers, distributors, and importers of hardware, software, and data remote processing solutions. Our initial consultation can help determine your specific obligations based on your product portfolio.

 

Q2. What is the difference between the CRA and regulations like NIS2 or DORA?

While NIS2 and DORA focus on the security of networks and information systems for critical entities (such as banks or energy providers), the CRA focuses on the products themselves. It establishes mandatory cybersecurity requirements for the digital devices and software you sell, regardless of the industry the user operates in.

 

Q3. How do I know if my product requires third-party certification?

The CRA categorizes products into four levels: Default, Important (Class I), Important (Class II), and Critical. Only products classified as Class II or Critical require mandatory third-party assessment and approval. We provide a classification service to identify your product's category and the corresponding level of scrutiny required.

 

Q4. What happens if my product doesn't meet the requirements by the 2027 deadline?

Starting December 11, 2027, the CRA will be fully applicable. Products that do not meet the essential cybersecurity requirements—or those that lack the required CE marking—will be prohibited from being placed on the European market. Non-compliance could result in severe market access restrictions and potential regulatory penalties (Administrative fines for non-compliance with essential cybersecurity requirements and key manufacturer obligations can reach €15 million or 2.5 percent of worldwide annual turnover. Lower bands of up to €10 million or 2 percent apply for other categories of non-compliance).

 

Q5. Does the CRA require us to provide support after the product is sold?

Yes. The CRA introduces a manufacturer's duty of care that extends into the product's lifecycle. This includes the obligation to provide timely security updates to address vulnerabilities and adhere to mandatory incident reporting procedures for any significant security threats, even after the product has been placed on the market.